Security Sprint: Falco

Hello again! continuing with the security sprint articles, this week I'm going to talk about Falco. Nope! I'm not talking about the musician, I'm referring to an open source tool that allows us to monitor behavioral activity and detect anomalous activity in applications.

The most important part is the condition rule, a filter applied to each system call. The final output is a notification message using a mix of plain text and information from the event. We will see and example, but first, let's install Falco.

Now, let's get back to the example. In the official documentation it explains how the rule monitors file opens to identify attempts to open a file. I'm going to try the same on my own container using docker :

After playing around a bit, let's exit and tail our log.

tail /var/log/falco_events.log

That's it! Falco throws an advise.

Welp, now let's try another example, any process trying to write to a non data directory. After curl https://raw.githubusercontent.com/katacoda-scenarios/sysdig-scenarios/master/sysdig-falco/assets/falco_rules_step4.yaml -o falco_rules.yaml and restarting docker falco:

So, that's it! For more information on using docker and falco, check this tutorial where the yaml files I used are hosted.